Linux Security: Working with IP sets and iptables

Austin Songer - 02 Oct 2019

IP Sets can facilitate the management of a complex firewall ruleset. This exercise refreshes basic skills with the iptables command and begins developing an understanding of working with IP Sets.

Create a new IP set called ‘clienthosts’ that contains the IP and Port combinations for each client server. Be sure the ‘ipset’ is configured to persist a reboot

Run the following commands:

ipset create clienthosts hash:ip,port
ipset add clienthosts 10.0.1.100,80
ipset add clienthosts 10.0.1.200,80
ipset save clienthosts > /etc/sysconfig/ipset

Add a new rule to the INPUT chain that accepts traffic from all IP/Port combinations as source IP/destination port in the ‘clienthostsIP’ set. The rule should persist a reboot.

Run the following commands:

iptables -I INPUT -m set --match-set clienthosts src,dst -j ACCEPT
Iptables-save > /etc/sysconfig/iptables